Today the house I live in got a new "Next gen electric meter". Had a chance to speak to the installer and it's obvious there's some dis/mis-information going on.. he claims the unit communicates via satellite, but most of us would quickly realize that this is quite impossible for such a small device.

So for the past few minutes we've been discussing things with id regarding the technology they might be using and wondering what type of security measures these small units might be capable of.

You can view almost the identical meter that got installed through this link. And if you read the description, you will see that they state "Provides full security and encryption for today’s stringent requirements". Of course, I actually read "we got a password, and use 64bit encryption".

Some of my first thoughts focus on altering the data in the unit, but the implications of breaking their 'security measures' might mean gaining access to their central office.. and given the recent news that the NSA discovered various power companies throughout the US had already been penetrated by foreign hackers, makes me wonder how serious these companies have taken security.. or better yet.. what the importance of security is on a day to day basis..

Quote
Davis and his IOActive colleagues designed a worm that self-propagates across a large number of one manufacturer's smart meter. Once infected, the device is under the control of the malware developers in much the way infected PCs are under the spell of bot herders...It exploits an automatic update feature in the meter that runs on peer-to-peer technology that doesn't use code signing or other measures to make sure the update is authorized...One deficiency common among many of the meters is the use of insecure programming functions, such as memcpy() and strcpy()

Also, I looked up the Access Point that the meters are using. There's some brief info here which raises its own alarms in my head, from the pdf:

QuoteFrom end-to-end, the Smart Grid network is managed and controlled by UtilityIQ®... [A] feature-rich, Web-based interface [that] collects and displays critical network statistics and alarms from numerous data sources, including electricity, water, and gas meters... And it gives you a scalable platform that enables advanced applications to be deployed—both now and in the future—to add even more value to service offerings.

I think those 6 words sum up how important security was at the time of design.

Thanks for the info tx.. I was pretty sure they weren't going to be that secure, but now I realize that it goes way beyond not being secure.. now if you piss off the right person you might be without power and gas for a while.

Didn't need to read that in their paper.. the instant I saw the guy installing these new meters I joked with him about hacking into it and having it report that we only used 2kwH this month.. he laughed, but was one of those laughs as to say "hmm.. what a great idea!"..

I'm sure some dumb kid will try doing that and will most likely get caught, those are not the ones that scare me.. the ones that scare me are the ones that will be able to take control of the meters without being detected.. as I told id:

QuoteI think that it's going to be the next undetected worm.. imagine someone silently taking over these meters.. first it's just a few dozen, then it's hundreds, next is thousands, suddenly you control 99% of all meters in a metropolitan area, including businesses, private homes, hospitals.. and your occasional bank.. I just really think it's a bad idea to put things on-line.. think of the fun people were having with those "control your lights from the internet" crap.. well, this is just slightly more accessible and less monitored..

it's just a huge attack surface with hardly any monitoring

Now, I understand I'm a paranoid nutjob, it's part of being in this business and having seen what people can do, but deploying millions of these things without having taken serious consideration into their security, it's about as careless as putting millions of windows 95 computers directly connected to the internet via real world IP addresses and up-all-day internet connections.Except that now it's not just pop's pr0n downloads that are going to be disrupted.. it's the same power grid the FBI just recently announced it had discovered backdoors to.

How convenient that now we're providing a larger attack surface for them to penetrate..

QuoteComplete security is only a fool's goal, managing risk is what matters.

Yes! Glad to see that strategy worked well for you at TJMaxx..

You're lucky you're 2500 miles away or I'd whack you over the head.. Yes, complete security may be unattainable, however, not taking it into consideration during the design process is also foolish.

You don't have the security guard design your safe, even though he might be the person most familiar with it. And if security engineers were as hard to find as a good safe designer I might just agree with your statement. However, this is not the case. But companies are still having their safes designed by their security guards.

intuitive == ease of use, aka, usability
web-based == sla.ckers never saw this code
advanced web services APIs == we built some shit and think it works

Starting the paragraph with 'securely' does not mean they took security into account. Risk management for them meant the use of 'securely' in their description I'm sure. And again, I agreed with you on the 'complete security' portion.. going back to my safe analogy, there will never be a completely secure safe.. if it can be opened, well, it can be opened. However, this doesn't mean that safe builders are creating a cube with one end completely open.. it still means taking into consideration the aspect of security with locks and combinations, etc., etc.. so why in hell build an "intuitive web-based interface with advanced web services APIs" that allows for more holes to be built rather than a very simple push technology that allows you to gather the data and then you can make it look purdy????

A simple vt100 (or if you're sadistic, tn3270) interface with a 16 char password that locks out after 3 bad tries for 24 hours would suffice. Oh, and yes, there is NO risk in enabling a device to allow for remote shut-down of power.. none.. zip, zero, zilch!

>>And actually.. being without electricity would be the least of the problems.. imagine tampering with the data to the point where someone's utility bill comes out to the millions of dollars..

I'd expect people to tamper with their own meter if they have say a wind turbine or solar panel on their property. That way when meter runs backwards and power company pays them for their excess power, they can change the numbers so it appears they gave more power to the grid than they actually did. Thus profit$!

The way the power rules in CA work (and most power authorities), is they only have to credit you back for power that you use from the grid, they can still suck as much as you're willing to give...so no $$

/rant on
Like I said in another post, we have a saying in Corrections, "security is not convenient..." and it's ALWAYS going to take a back seat to whatever makes our lives "easier". It's the long-standing fight between good and evil, management and security- management finds ways to do things differently, security is there to mitigate the risks that come along with those changes. Doesn't matter if it's a change in technology or a change in methodology. And yes, we'll always be the red-headed step-child since it's our job to try to tighten down the nuts and bolts as much as possible. :)

Human beings are lazy, but companies are even more lazy. the more technological our advances, the lazier society as a whole gets. Is it more convenient, (read costly) to have software that can read and transmit utility usage while only having to train calling center personnel on how to use the software OR to have to pay the utility person, as well as cost of gas, wear and tear on the vehicle, etc. to go read the meters? Security versus saving money? Guess which one wins...and just like TJ MAXX and these other companies that get hacked, lose a crapload of customer data- the utilities are going to hate life when something happens. Especially when it happens to someone that has the money to pay out for the lawyers to rape them in court. And when it does, hopefully someone sees the article and finds this forum post so we can say, "I TOLD YOU SO"! LOL!!!

/rant off

Kind of off topic, but sorta goes along with the conversation. Does anyone remember the movie "The Gods Must Be Crazy"? It's about a tribe in Africa where a pilot tosses a Coke bottle out the window and the tribe uses it as a tool, things get all crazy so the chief of the tribe takes it to the end of the world to return it back to the gods. Ooooold movie, but I think it has some different ways of looking at what happens as we gain more tools that make life easier.

--------------------------------------------------------
Regarding gun carry laws: I'd rather be judged by 12 than carried by six...

Yes, he decides to give it back to the gods because everyone in his village was fighting over it... suddenly everyone NEEDED it..

Taking what you said in consideration, I ask you the following. Which will be cheaper, having the guy go to your house to read the meter, or having the guy go to your house to do software upgrades every time a new bug is released? And of course, this will no longer be just a 'meter reader' wage.. he has to be an 'engineer'..

But as I said above, it would have been much simpler to just have the meter spew out all the info and making it look pretty in the office, just like mainframes did in the old days.. they just threw out information.. getting a new account added was a pain in the butt, but guess what? They were secure..

Oh, I agree that they should leave well enough alone, bud. My argument is that the more things advance, the more complicated they become, the harder they are to secure, the cost of providing services goes up exponentially. But, in management's eyes- "upgrading" will cost less and make them "more efficient"...they don't look at the security issues of things, and even if they had a CISO or CSO telling them the implications- they more than likely didn't see past the $$$ in their eyes. :)

I believe in K.I.S.S - the simpler, the better and the easier to account for and secure. Besides, that's taking jobs away! Like we need that...

--------------------------------------------------------
Regarding gun carry laws: I'd rather be judged by 12 than carried by six...

@clayfox - Good point.. didn't think of that one.. of course, that's given that the excess lights don't cause a fire at the house and forces the fire department to come out to put out all your pot.. :)

lower the thermostat setting in the summer by a couple degrees for everyone on a given grid... increase overall power consumption considerably... down goes grid... score free ice cream from stores giving it away before it melts!!!